Children’s Healthcare of Atlanta

Case Study: Validated Point-to-Point Encryption (P2PE)™ Solution

Putting patients and their personal information first

What does P2PE achieve for Children’s Healthcare of Atlanta?

CHOA: Due to the complexity of our hospital network, we wanted to implement a solution that would provide our customers with the most secure method of processing a payment card transaction at our 45 locations. We implemented a PCI-listed P2PE Solution to reduce the number of PCI DSS requirements that apply to our cardholder data environment (CDE), to secure our patients payment data and to mitigate the risk of a payment data breach.

Bluefin: To achieve their goal to down-scope and secure their payment systems, CHOA set two objectives: reduce the overall size of their cardholder data environment (CDE) and reduce the number of applicable PCI DSS requirements. Implementing our P2PE solution accomplished both of these objectives swimmingly. CHOA was able to remove entire networks from the scope of their PCI DSS assessment and qualify for the PCI P2PE Self-Assessment Questionnaire (SAQ) which has about 35 questions. When compared to SAQ D which has about 350 questions, CHOA was able to simplify their PCI compliance program by roughly 90%.

Why did you see it as important to choose a P2PE Solution that is PCI-listed?

CHOA: Through our due diligence researching a number of providers, we discovered that many are selling their own encryption solution, however, it’s not fully compliant from a PCI P2PE perspective unless it has been validated by the PCI Security Standards Council and listed on their website. Only PCI-listed solutions are recognized as meeting the requirements for merchants to reduce the scope of their PCI DSS assessment through the use of a P2PE Solution. Not only did we want the best security for our patients’ payment data but we also wanted the peace of mind that a PCI-listed P2PE Solution provides. PCI’s P2PE Solution listing allows us to rely on audited facts and not on sales gymnastics or promises of protection.

Bluefin: CHOA implemented an encryption solution to protect against malware attacks which are the primary causes of point of sale (POS) breaches. It is also important to have physical protection within the card reader so that it can detect and respond to tampering. PCI requires card readers used in P2PE Solutions to be validated as physically secure and requires chain of custody and asset tracking to be maintained throughout the card reader lifecycle.

Why did you opt for Bluefin’s P2PE Solution?

CHOA: We researched the PCI-listed P2PE Solution providers to clearly understand their respective technologies and from an integration perspective, how it would best fit into our current environment with the least amount of interruption to our business process. Bluefin’s hands-on approach and service level was key in our decision making process. Bluefin offered an array of device options and integration points that CHOA could implement while providing the most secure processing environment for the organization.

What technology or adoption issues did you have to overcome to implement P2PE?

CHOA: During project planning, we identified the largest potential roadblock for CHOA as the integration and deployment of the P2PE devices. With 45 locations housing various departments within each location, it really became a master project to ensure that we serviced all the areas within the organization that processed card data. As it turned out, the deployment of the P2PE devices
presented little to no challenge for us. And since employees were already trained to accept card data, using the new P2PE devices didn’t require much re-training.

Bluefin: One of PCI P2PE’s greatest benefits is that it gives the merchant their network back. CHOA used PCI P2PE to encrypt card data in card readers which devalued the card data at the point of entry. Since the card data was devalued it did not pull CHOA’s networks and POS systems into scope for PCI DSS transmission security requirements. PCI P2PE saved CHOA from having to overhaul their network topology and network technology across 45 locations, saving time and money.

How are you responding to the increasing number of data beaches in the medical community?

CHOA: This has been a major concern for CHOA and for the customers we serve, which is primarily one of the reasons for implementing the P2PE Solution throughout our organization. P2PE has provided CHOA with an additional level of security to ensure that our customers’ data is being handled properly and securely. There are hundreds of reported data breaches each year in
healthcare. At CHOA, we put our patients first which means that PCI-listed P2PE was an absolute must-have.

Children’s Healthcare of Atlanta is one of the largest pediatric clinical care providers in the U.S. and home to one of the top pediatric surgery programs in Georgia. Facilities include Children’s at Egleston, Children’s at Hughes Spalding and Children’s at Scottish Rite, as well as 27 neighborhood locations throughout metro Atlanta to make it more convenient for families – including the Marcus Autism Center, five Urgent Care Centers and facilities that offer primary care, sports medicine, rehabilitation and surgical services.

THE P2PE SOLUTION

Bluefin, one of the first to provide PCI P2PE in North America, now provides secure payment technologies to 16,000 locations worldwide. Bluefin has brought PCI-listed P2PE Solutions to health networks such as CHOA and the University of California Health System (UC Health) and has integrated with providers such as Epic Systems, whose software currently manages 190 million patient records electronically, and OnPlan Health, a leader in healthcare payment processing.

“2015 saw 253 healthcare data breaches, with 1 in 3 Americans affected – that’s over 112 million stolen records according to the Office of Civil Rights (OCR), part of the U.S. Department of Health and Human Services. Healthcare organizations such as CHOA see PCI P2PE as a necessary solution to protect a very important element of patient data – payment card information. With PCI P2PE, healthcare organizations are reducing compliance scope and mitigating breach risk for payment acceptance methods including in-person, mobile tablet, kiosk and contact centers.”

By clicking to subscribe, you are agreeing to our privacy policy. You can unsubscribe at any time by clicking “Unsubscribe” on the newsletter.
We use MailChimp as our marketing platform. By clicking to subscribe, you acknowledge that your information will be transferred to MailChimp for processing. Learn more about MailChimp's privacy practices here.